You didn't read the spec. And you didn't mention Stdio. Stdio is secure and that's what is used by Claude Desktop the first MCP client and they don't support SSE yet. Since the start, SSE was set a draft and there was a long discussion over the authentification implementation first round already got defined and second is defined again.

I saw a lot of articles since MCP was buzzing same claims copy & paste. And the post show a lot of confusion for what MCP is and MCP do.